Information communication has proliferated in recent years with the nearly ubiquitous adoption of computer systems and networks, such as local area networks (LANs), metropolitan area networks (MANs), wide area networks (WANs), intranets, extranets, the Internet, etcetera, in both personal and business applications. Accordingly, various computer programs and systems have been developed to facilitate such information communication. For example, EXCHANGE and OUTLOOK software programs, available from Microsoft Corporation, provide electronic mail servers and electronic mail clients, respectively, which are used widely by businesses and individuals. Software programs such as GROUPWISE, available from Novell, Inc., and LOTUS NOTES, available from International Business Machines, Inc., also provide electronic mail clients for use by businesses and individuals.
Information communication systems, such as those utilizing the above mentioned software programs, often implement features for simplifying communication tasks for the user, such as by automating particular features and tasks. For example, OUTLOOK will, in its default configuration, automatically execute Visual Basic attachments and basic script attachments to mail messages when the associated mail message is opened. Most users will not reconfigure their mail client, such as OUTLOOK, not to automatically execute such attachments, particularly if using Visual Basic scripts in electronic mail is a normal part of their business process, as doing so makes their business process more difficult and time consuming to implement because they have to explicitly execute such attachments.
Mail clients, such as OUTLOOK, also include features which allow certain types of attachments to exploit automatic execution features without a user opening or otherwise accessing an associated mail message. Such features are very convenient in that a user is not required to manually select and initiate execution of particular attachments.
However, miscreants have taken advantage of the widespread availability of information communication networks, automated features of information communication systems, the relative naivete users, and/or the inability of system administrators to detect and quickly react to malicious behavior to spawn innumerable attacks on information communication systems. For example, certain messages, such as electronic mail messages, can contain executable code that, while normally such code serves a useful function, exploits the trust that is involved by introducing malicious code that adversely affects the operation of network systems. Such malicious code is often in the form of embedded Java script or Visual Basic scripts that exploit weaknesses in electronic mail clients and electronic mail servers to generate floods of electronic mails or infect the client and/or server host with code that leads to some type of security vulnerability or destructive operation. Many users believe that opening an electronic mail is harmless or that the system should take care of an potential malicious code, so they open electronic mail messages not knowing any better or not caring, and pretty soon an infection starts.
Common types of such malicious code include viruses, Trojans, and worms. A virus, for example, is often in the form of an electronic mail attachment which is received contaminated, e.g., the mail message attachment already contains an infectant and is contagious. The virus itself will often be hosted by an electronic mail message from a trusted source, such as a friend or acquaintance, and will utilize the automated features of the user's mail client to propagate new infected mail messages directed to each entry in the user's mail client address list. Propagation in this manner is similar to an organic virus, such as the common cold, spreading as quickly as it comes into contact with others. A worm will typically be introduced into a network again in the same way as the virus described above. For example, a worm may be carried as an electronic mail attachment or embedded in a file. However, a worm is often more difficult to detect as it is often transmitted as pieces of code that collect themselves for reassembly and operation. A worm generally will operate to create a destructive pathway out of an infected system to other systems, such as through an electronic mail address book, file transfer protocol (FTP), hypertext transfer protocol (HTTP), etcetera, to carry information and/or establish a porthole (wormhole) out of the host system. A Trojan is typically a piece of code that that is hidden or buried within a file or an electronic mail that sits resident and dormant on an infected computer system waiting to be activated for destructive operation. For example, a Trojan can be time activated, it can be called through a remote command, etcetera, and when activated the infected system may start acting on its own to attack other systems or operations. In contrast to the typical virus, which reacts very rapidly and spreads almost immediately, a Trojan can sit resident and dormant for a very long time, reacting when called upon or otherwise triggered.
Malicious code, such as the aforementioned viruses, Trojans, and worms, may operate to provide certain functions to the progenitor of the code, such as to allow that person to get access to the infected machine. For example, a Trojan may be implemented for creating a special telnet connection that only the creator of the Trojan code is aware of in order to allow them to log onto an infected computer. Alternatively, a Trojan might operate to alter a host machine so that the creator of the Trojan can log on legitimately, although they are an illegitimate user. However, other malicious code operates more to propagate its payload. For example, viruses and worms are typically directed to spreading the payload, such as to create a flooding attack.
An example of a malicious code attack might be to attach a file to an electronic mail message, wherein the file appears to be an innocuous word processing (e.g., Microsoft WORD) document, slideshow (e.g., Microsoft POWERPOINT) presentation, or a Visual Basic script that does something useful, but in fact contains code that will for instance send copies of the message to everybody in the electronic mail client address book. When the recipient opens the mail message carrying the attachment, the mail client may automatically execute the attachment, thereby allowing the malicious code to execute and replicate the message with the attachment over and over. Even where the electronic mail client does not automatically execute the attachment, the recipient may unwittingly execute the malicious code believing it to be a useful attachment. The replicated messages may propagate within a particular company's information communication network, and/or may spread to external networks, continuing to be replicated and spread by each new recipient. Unchecked, the message keeps replicating and can bring the mail system down due to the message load, perhaps even seriously affecting or even crashing the entire information communication network.
A specific example of implementation of a malicious code attack asset forth above is the Code Red virus. The Code Red virus was transmitted as an electronic mail attachment, which would infect client machines causing them to spread copies of the electronic mail and its virus to anybody in the infected machine's address book. It would infect the electronic mail server with a piece of malicious code that would launch a flooding attack at a certain time of every month. This particular attack is estimated to have cost hundreds of millions of dollars in lost time to clean up the virus and return the infected systems to normal operation. Moreover, costs due to the Code Red virus continue to mount as the virus keeps coming back, preying on the inexperience of users to continue to spread.
Although the specific examples above have been described with reference to malicious code resulting in flooding type attacks, other attacks may be result from such malicious code. For example, rather than designing a virus to replicate itself and flood the network, such malicious code may be designed to delete hard drive content, to alter system configurations, to cause hardware to be damaged or destroyed, to alter data, and/or the like. However, the current trend appears to be toward the initiation of flooding or denial of service type attacks, as it takes very little sophistication to mount such an attack, the automated features of server and client systems often facilitates such attacks, user naivete can often be relied upon to further the attack, and few effective solutions are implemented to prevent such attacks.
Although most people probably are not malicious or mean spirited, attacks based upon malicious code as described above continue to increase at an alarming rate. This is a problem that started with a very low level of notoriety approximately five years ago and has doubled in the numbers of attacks and the numbers of incidents every year since. The technology and bandwidth available in the information communication networks has fueled the impact of such attacks. For example, it used to take 80 minutes for a malicious code attack to propagate across the Internet, but that time has now been reduced to approximately 4 minutes. As of the spring of 2003, the dollar amounts for damages for 2003 had already surpassed the entire dollar value lost the previous year. In addition to resulting in business disruption and a tremendous financial impact, such attacks form the basis of the most common security breaches in networks and communications today.
Initially, most attacks seemed to be originated out of a curiosity of what would result. However, as time goes on, and the profit margin in this type of activity increases, even more malicious attacks will be seen. As the more organized crime element gets involved with the individuals who know how to implement malicious code attacks and do not particularly care about the impact, we are likely to see these attacks focused on particular companies or particular parts of the government in order to cause calculated disruption in that area. For example, if some miscreant wanted to take an Internet based company, such as Ebay, offline for a number of days, thereby disrupting the business and its revenue stream or even manipulating the company's stock price, an assault of their systems may be mounted using malicious code.
There are a number of companies that provide anti-virus solutions, such as McAfee, Norton, Trend Micro, Soffos, F-Secure, etcetera. The solutions that are currently available today are software programs which, when deployed, are resident on a host system, such as a user's personal computer or laptop (collectively referred to a PCs) or on an electronic mail server to clean messages as they come into the server itself. Accordingly, these solutions are commonly called host based systems, and do not provide network based or inline devices that scan and scrub traffic as it comes into a network or leaves a network, but rather provide protection at one particular point.
It is incumbent upon the user or network administrator to maintain the updated protection files from the source of the anti-virus software program, such as from McAfee, Norton, Trend Micro, Soffos, or F-Secure (there is often a monthly fee or an annual fee for maintenance and support for that product). Accordingly, these products are only as effective as the last update that they have had. Managing and maintaining a large base of anti-virus software programs, such as anti-virus software programs installed upon individual network workstations, can be difficult and time consuming.
It should be appreciated that once the malicious code reaches the server, whether a post office protocol (POP), e.g., POP3 protocol, Internet message access protocol (IMAP), or other server configuration, the malicious code is typically already resident in the electronic mail. For example, one of the most traditional ways malicious code is able to penetrate commonly available defenses is through the use of off-line systems which are later reconnected to the network. A business traveler may be offsite, such as at a hotel or client site, and connect to a foreign network, such as a public network, to conduct business or download electronic mails. This traveler may unknowingly receive malicious code, such as because he has not yet received anti-virus updates due to his travels, because he has connected to an unprotected mail server, etcetera. When the business traveler returns to his office and again plugs their laptop into the business' network, they may be plugging in behind their firewall and behind their mail server, so everything that is on that laptop has not had a chance to be cleaned by the resident electronic mail or anti-virus program. This provides the malicious code the opportunity to contaminate the rest of the network, such as by replicating itself and going from the inside of the network out.